Critical national infrastructure organisations are a target for cyber attacks: steps to understanding your risk exposure

Cybercrime forces companies of all sizes in almost every sector to take stock, but for those organisations that make up our critical national infrastructure, the threat of a cyber attack has serious repercussions that reach far beyond the disruption to the individual business. Yet we all depend on the reliable functioning of our critical infrastructure – and to some extent we take it for granted that it will always be there for us.

High-profile attacks (and those never made public) tell us that this is not always the case. So what can we do to better protect ourselves against the threat of a serious breach? In many organisations, much of the critical national infrastructure technology environment pre-dates the Internet when managing industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) was easier than it is today. Years ago systems were largely proprietary and isolated and operation managers worked on site. There was no need to connect them to the corporate network or Internet – and the Internet was not what it is today. Management of these systems rarely fell under IT control.

But these systems are increasingly connecting to more open and often public networks (like the Internet) in an attempt to streamline business, improve communication in the supply chain and to find new intelligence from the latest technology trends such as Big Data and the Internet of Things (IoT).

Added to this, there’s a growing desire for engineers, in particular, to connect to control systems remotely. Thirty or so years ago, physical threats were the biggest concern, now it is more likely to be a cyber attack that poses the greatest threat to these organisations. But often the complexity of these networks means that operations managers are reluctant to relinquish control and IT departments are unwilling to take responsibility for what they see as uncontrolled and mysterious environments with archaic hardware.

New connections inevitably mean new threats. Global research from Ponemon shows that nearly 70 per cent of critical infrastructure managers reported at least one security breach that led to the loss of confidential information or disruption to operations in the past 12 months. In addition, 78 per cent said a successful attack on their organisation’s ICS or SCADA systems is at least somewhat likely within the next 24 months. Yet only one in six respondents described their organisation’s IT security programme or activities as ‘mature’.

Recent years have seen some well publicised SCADA attacks, such as Stuxnet that disrupted Iran’s uranium facility in 2010, yet security is still not a priority for many organisations that form our global critical national infrastructure. Only 28 per cent of people that took part in the Ponemon survey said that security was ranked as a top five strategic priority for their organisation – and yet minimising downtime was a top priority for the majority of respondents. In other words, minimising downtime is a priority, but not enough is being done to reduce that risk.

Understanding risk exposure

Sitting tight and doing nothing is no longer an option. The risk of a cyber attack is not going away and critical systems such as SCADA and ICS are not becoming less vulnerable to attack, but more so. A first step in controlling risk is to understand your current risk exposure across all areas of the business and prioritising the areas on which it is critical to focus. As these networks are extremely complex and often use proprietary hardware, it is vital that assessment and testing is conducted by specialists who fully understand the intricacies of control networks.

As part of a move towards gaining greater insight into security risks, organisations need to take these steps:

  • Evaluate their risk exposure in the context of commercial objectives
  • Place current exposure in the context of industry best practice
  • Define remedial actions, activities and a longer term strategic roadmap
  • Communicate the strategy to key stakeholders across the business
  • Repeat the process regularly in order to make more informed decisions and to drive down incidents.

The last thing that any organisation wants is to make the headlines following a security breach. The damage to a company’s reputation can be huge, as can the financial and remediation costs. It is not a case of if it will happen, but when, so it is essential to have a mature, detailed incident response plan, and a starting point for this is good risk insight and a comprehensive real-time view of network activity. Timely incident response is imperative following a breach and many organisations do not have spare resources waiting to leap into action when an incident happens. Having the right incident response partner to provide the right resources to help the organisation return to business as usual as quickly as possible should a breach occur, is crucial.

Understanding risk exposure, preparing an incident response plan and continuously monitoring and managing risk in your organisation takes time and expertise. You may not have these skills in-house, or you may have tried and failed to recruit people with the right skills – there’s a growing global skills shortage in this sector that will take years to improve.

Many organisations look to outsource these critical functions to reassure themselves that systems are monitored around the clock and experts are on hand to provide essential advice and support when needed.

What is clear is that critical infrastructure and industrial plant control systems are coming under scrutiny from both attackers and defenders. It’s important for every organisation to recognise where it’s at in its own cyber security efforts and where improvements can be made, in order to identify and deal with weaknesses in their infrastructure.

Much is being done to create frameworks and draft legislation. But this will not be enough unless the industry takes control of the problem and finds ways to reduce the ever-present threats. We will get better at identifying, locating and penalising the bad guys to deter the majority of attacks. Until that day, business needs to remain vigilant to protect its own assets.

By Stuart Reed, Senior Director, Market Strategy at NTT Security.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.